MAB, Apple-device profile

mustafa83 — Mon, 11 Mar 2019 08:53:38 GMT

Hi,

How are you profiling OS-X devices for MAB in your place?

While working in ISE 2.4(patch 3), found out if you spoof the mac-address of Macbook Pro Ethernet dangle which mine start with mac (68:5b:35) to match of one of Cisco provided profiles that is OUI(mac-address prefix) based or a profile you created that is OUI based, then that Macbook pro profiled as that device and not as Apple-device which is a huge issue for me, because guest apple OS-X devices should be getting guest access and not the full access that assigned to the profiles (my environment is a testing environment for now) , i'm using cisco provided apple-device profiles without any changes

I will demonstrate Crestron-device which is profile Cisco provided profile based on device OUI so if the mac-address prefix start with 00:10:7F then they profiled Crestron-device.

1- allowed crestron to get full access to the network or any level access ,assuming that we have it in production and need to access internal resources, its done via policy set if endpoint policy=crestron device

2- changed my macbook pro mac address to 00:10:7F:00:12:34 with command sudo ifconfig en3 ether 00:10:7F:00:12:34

2- started endpoint debug

3- no shutdown the access port

dhcp probe

MAC: 00:10:7F:00:12:34
Attribute:BYODRegistration value:Unknown
Attribute:DeviceRegistrationStatus value:NotRegistered
Attribute:EndPointPolicy value:Unknown
Attribute:EndPointPolicyID value:
Attribute:EndPointSource value:DHCP Probe
Attribute:IdentityGroup value:
Attribute:IdentityGroupID value:
Attribute:MACAddress value:00:10:7F:00:12:34
Attribute:MatchedPolicy value:Unknown
Attribute:MatchedPolicyID value:
Attribute:NmapSubnetScanID value:0
Attribute:OUI value:CRESTRON ELECTRONICS, INC.
Attribute:PolicyVersion value:0
Attribute:PortalUser value:
Attribute:PostureApplicable value:Yes
Attribute:StaticAssignment value:false
Attribute:StaticGroupAssignment value:false
Attribute:Total Certainty Factor value:0
Attribute:chaddr value:00:10:7f:00:12:34
Attribute:ciaddr value:0.0.0.0
Attribute:dhcp-client-identifier value:01:00:10:7f:00:12:34
Attribute:dhcp-lease-time value:7776000
Attribute:dhcp-max-message-size value:1500
Attribute:dhcp-message-type value:DHCPREQUEST
Attribute:dhcp-parameter-request-list value:1, 121, 3, 6, 15, 119, 252, 95, 44, 46
Attribute:dhcp-requested-address value:10.101.234.27
Attribute:flags value:0x0000
Attribute:giaddr value:10.101.234.1
Attribute:hlen value:6
Attribute:hops value:1
Attribute:host-name value:Mustafas-MBP
Attribute:htype value:Ethernet (10Mb)
Attribute:ip value:10.101.234.27
Attribute:op value:BOOTREQUEST
Attribute:secs value:0
Attribute:tranID value:0x94a74c38
Attribute:yiaddr value:0.0.0.0
Attribute:SkipProfiling value:false

results:

Attribute:AAA-Server value:SNS-PSN1
Attribute:AcsSessionID value:SNS-PSN1/334707989/1080
Attribute:AuthenticationIdentityStore value:Internal Endpoints
Attribute:AuthenticationMethod value:Lookup
Attribute:AuthenticationStatus value:AuthenticationPassed
Attribute:AuthorizationPolicyMatchedRule value:SNS DATA
Attribute:BYODRegistration value:Unknown
Attribute:CPMSessionID value:0A65EA050000103942F963D8
Attribute:Called-Station-ID value:E0-D1-73-8E-FA-84
Attribute:Calling-Station-ID value:00-10-7F-00-12-34
Attribute:DTLSSupport value:Unknown
Attribute:DestinationIPAddress value:10.155.76.89
Attribute:DestinationPort value:1812
Attribute:Device IP Address value:switch ip removed
Attribute:Device Type value:Device Type#switch type removed
Attribute:DeviceRegistrationStatus value:notRegistered
Attribute:EndPointMACAddress value:00-10-7F-00-12-34
Attribute:EndPointMatchedProfile value:Crestron-Device
Attribute:EndPointPolicy value:211fce40-8c00-11e6-996c-525400b48521
Attribute:EndPointPolicyID value:
Attribute:EndPointSource value:RADIUS Probe
Attribute:FailureReason value:-
Attribute:Framed-IP-Address value:10.101.234.27
Attribute:Framed-MTU value:1500
Attribute:IPSEC value:IPSEC#Is IPSEC Device#No
Attribute:ISEPolicySetName value:WIRED_MAB
Attribute:IdentityGroup value:
Attribute:IdentityGroupID value:
Attribute:IdentityPolicyMatchedRule value:INTERNAL_AUTHEN
Attribute:IdentitySelectionMatchedRule value:INTERNAL_AUTHEN
Attribute:IsThirdPartyDeviceFlow value:false
Attribute:Location value:Location#location removed
Attribute:MACAddress value:00:10:7F:00:12:34
Attribute:MatchedPolicy value:Unknown
Attribute:MatchedPolicyID value:
Attribute:MessageCode value:5200
Attribute:NAS-IP-Address value:switch ip removed
Attribute:NAS-Port value:50104
Attribute:NAS-Port-Id value:GigabitEthernet1/0/4
Attribute:NAS-Port-Type value:Ethernet
Attribute:Name value:Endpoint Identity Groups:Profiled
Attribute:Network Device Profile value:Cisco
Attribute:NetworkDeviceGroups value:Location#location removed, Device Type#switch type removed, IPSEC#Is IPSEC Device#No
Attribute:NetworkDeviceName value:Mustafa_ISE_3850
Attribute:NetworkDeviceProfileId value:b0699505-3150-4215-a80e-6753d45bf56c
Attribute:NetworkDeviceProfileName value:Cisco
Attribute:NmapSubnetScanID value:0
Attribute:OUI value:CRESTRON ELECTRONICS, INC.
Attribute:OriginalUserName value:00107f001234
Attribute:PolicyVersion value:0
Attribute:PortalUser value:
Attribute:PostureApplicable value:Yes
Attribute:PostureAssessmentStatus value:NotApplicable
Attribute:RadiusFlowType value:WiredMAB
Attribute:RequestLatency value:40
Attribute:Response value:{UserName=00:10:7F:00:12:34; User-Name=00-10-7F-00-12-34; State=ReauthSession:0A65EA050000103942F963D8; Class=CACS:0A65EA050000103942F963D8:SNS-PSN1/334707989/1080; cisco-av-pair=ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-PERMIT-ALL-TRAFFIC-5c088efb; cisco-av-pair=profile-name=Crestron-Device; LicenseTypes=1539; }
Attribute:SSID value:E0-D1-73-8E-FA-84
Attribute:SelectedAccessService value:SNS-PROTOCOLS
Attribute:SelectedAuthenticationIdentityStores value:Internal Endpoints
Attribute:SelectedAuthorizationProfiles value:Full Access
Attribute:Service-Type value:Call Check
Attribute:StaticAssignment value:false
Attribute:StaticGroupAssignment value:false
Attribute:StepData value:5= Normalised Radius.RadiusFlowType, 7=Internal Endpoints, 14= EndPoints.EndPointPolicy
Attribute:Total Certainty Factor value:0
Attribute:UseCase value:Host Lookup
Attribute:User-Name value:00107f001234
Attribute:UserName value:00-10-7F-00-12-34
Attribute:UserType value:Host
Attribute:allowEasyWiredSession value:false
Attribute:cisco-av-pair value:service-type=Call Check, audit-session-id=0A65EA050000103942F963D8, method=mab
Attribute:ip value:10.101.234.27
Attribute:SkipProfiling value:false

as you can see the OUI is Crestron and its getting that access level which is full in my case,

the only attribute from apple OSX (client side) is the dhcp-parameter-request-list value:1, 121, 3, 6, 15, 119, 252, 95, 44, 46 so i went ahead and and modify apple-device profile to check for this value and to increase the certainty by 20 to override the crestron certainty of 5.

Here is the result

MAC: 00:10:7F:00:12:34
Attribute:AAA-Server value:SNS-PSN1
Attribute:AuthenticationIdentityStore value:Internal Endpoints
Attribute:AuthenticationMethod value:Lookup
Attribute:AuthorizationPolicyMatchedRule value:NON-SNS-APPLE_NON-SNS-USER(GUEST)
Attribute:BYODRegistration value:Unknown
Attribute:CacheUpdateTime value:1546972431455
Attribute:Calling-Station-ID value:00-10-7F-00-12-34
Attribute:CreateTime value:1546972400212
Attribute:DTLSSupport value:Unknown
Attribute:DestinationIPAddress value:10.150.67.89
Attribute:Device Identifier value:
Attribute:Device Type value:Device Type#switch type removed
Attribute:DeviceRegistrationStatus value:NotRegistered
Attribute:EndPointPolicy value:Apple-MacBook
Attribute:EndPointPolicyID value:09c71730-8c00-11e6-996c-525400b48521
Attribute:EndPointProfilerServer value:SNS-PSN1.my.place.net
Attribute:EndPointSource value:RADIUS Probe
Attribute:FailureReason value:-
Attribute:FirstCollection value:1546972399878
Attribute:Framed-IP-Address value:10.101.234.27
Attribute:IdentityGroup value:Profiled
Attribute:IdentityGroupID value:aa10ae00-8bff-11e6-996c-525400b48521
Attribute:LastActivity value:1546972430885
Attribute:LastNmapScanTime value:0
Attribute:Location value:Location#location removed
Attribute:MACAddress value:00:10:7F:00:12:34
Attribute:MDMServerID value:
Attribute:MatchedPolicy value:Apple-MacBook
Attribute:MatchedPolicyID value:09c71730-8c00-11e6-996c-525400b48521
Attribute:MessageCode value:3000
Attribute:NAS-IP-Address value:10.101.234.5
Attribute:NAS-Port-Id value:GigabitEthernet1/0/4
Attribute:NAS-Port-Type value:Ethernet
Attribute:NetworkDeviceName value:Mustafa_ISE_3850
Attribute:NmapScanCount value:0
Attribute:NmapSubnetScanID value:0
Attribute:OUI value:CRESTRON ELECTRONICS, INC.
Attribute:PhoneID value:
Attribute:PolicyVersion value:12
Attribute:PortalUser value:
Attribute:PostureApplicable value:Yes
Attribute:RegistrationTimeStamp value:0
Attribute:SSID value:E0-D1-73-8E-FA-84
Attribute:SelectedAuthorizationProfiles value:SNS GUEST
Attribute:StaticAssignment value:false
Attribute:StaticGroupAssignment value:false
Attribute:TimeToProfile value:315
Attribute:Total Certainty Factor value:30
Attribute:UniqueSubjectID value:
Attribute:UpdateTime value:0
Attribute:User-Name value:00107f001234
Attribute:UserName value:00-10-7F-00-12-34
Attribute:UserType value:Host
Attribute:ciaddr value:0.0.0.0
Attribute:dhcp-parameter-request-list value:1, 121, 3, 6, 15, 119, 252, 95, 44, 46
Attribute:dhcp-requested-address value:10.101.234.27
Attribute:host-name value:Mustafas-MBP
Attribute:ip value:10.101.234.27
Attribute:SkipProfiling value:false

from the results we saw OS-X profiled successfully as as apple-device regardless of the user's mac spoofing attempt, Cisco released Parameter Request List Value

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116235-configure-ise-00.html

but my macbook Parameter wasn't part of the list, it look like the list is dated

now i have few questions

- will this attribute change or vary from model/OS release to another? if yes, how can we make sure we have the latest Parameter? where it can be found Cisco ISE doc or Apple site?

- is there any other attribute we can count on that is hard solid and will never change?

please understand those macbook devices belongs to the guests so i cant install any clients/application on them and we dont have access to their hostname, OS-X version nor model, and for crestron and other profile which i'm not willing to modify to accommodate the apple-devices because the number of profiles are big and not sure if/when Cisco will update one of their provided profile, looking for solution from apple-device profile side.

FYI: This is not an issue with Windows as windows have many attributes that ISE capture, so changing mac addresses wont matter(if you are using the default profiles) and no changes, no sure and about linux but its in the scope after apple-devices issue resolved.

Thanks,

Mustafa

topic MAB, Apple-device profile in Network Access Control

MAB, Apple-device profile